GHSA-J5W5-568X-RQ53: Remote Code Execution via Command Injection in @evomap/evolver
Vulnerability ID: GHSA-J5W5-568X-RQ53
CVSS Score: 9.8
Published: 2026-04-22
The @evomap/evolver NPM package contains a critical command injection vulnerability in its _extractLLM utility function. Applications passing unsanitized input to this function are vulnerable to unauthenticated remote code execution, allowing attackers to execute arbitrary system commands with the privileges of the Node.js process.
TL;DR
A command injection flaw in @evomap/evolver prior to version 1.66.5 allows remote code execution via unsafe use of execSync in the _extractLLM() utility.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-78
- Attack Vector: Network
- CVSS Score: 9.8
- Impact: Remote Code Execution
- Exploit Status: PoC Available
- KEV Status: Not Listed
Affected Systems
- @evomap/evolver (NPM)
- Node.js applications utilizing Evolver for AI agent evolution
-
@evomap/evolver: < 1.66.5 (Fixed in:
1.66.5)
Mitigation Strategies
- Upgrade the @evomap/evolver dependency to version 1.66.5 or higher.
- Refactor code to avoid using child_process functions (exec, execSync) with unsanitized string interpolation.
- Apply principle of least privilege to the Node.js execution environment.
- Implement strict input validation on all data processed by the Evolver engine.
Remediation Steps:
- Identify all projects utilizing the @evomap/evolver package.
- Run 'npm update @evomap/evolver' or modify package.json to require version >=1.66.5.
- Execute integration tests to ensure compatibility with the updated library.
- Deploy the updated application to production environments.
- Audit system logs for indicators of compromise, specifically looking for anomalous child processes spawned by Node.js.
References
Read the full report for GHSA-J5W5-568X-RQ53 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)